Promiscuous Mode Problems

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at a vulnerability in PHP; buffer overflows in Cisco IOS, Fake Identd, HylaFAX, and EnGarde Secure Linux's resolver libraries; and problems in Sun Fire servers, chfn, chsh, Pine, GNU Mailman, the VNC challenge and response, and the reporting of Promiscuous Mode by the Linux kernel.

PHP is vulnerable to an attack that can be used by a remote attacker to execute arbitrary code or crash the Web server. This vulnerability is in the code that handles uploads of multipart/form-data. Only versions 4.2.0 and 4.2.1 of PHP have been reported to be
vulnerable. However, versions earlier than 4.2.0 have had other problems reported.

Some versions of the Linux kernel are reported to be vulnerable to a bug that affects the reporting of interfaces in Promiscuous Mode. This bug is caused by the kernel supporting multiple interfaces to the network device. An attacker can exploit this bug to conceal the operation of network monitoring tools such as a sniffer.

A reported work around to this bug is to use the ip command distributed with the iproute2 package. Users should watch their vendor for an update that repairs this bug.

Sun Fire machines are Solaris-based, general purpose server hardware platforms. They are vulnerable to a bug in the environmental monitoring subsystem that can be exploited by a local attacker in a denial-of-service attack. This vulnerability has been reported to affect Sun Fire 280R, V880, and V480 servers running Solaris 8.

Linux systems that use util-linux to provide chfn services are vulnerable to an attack that can be used to gain additional privileges. The chfn utility is used to modify personal information that is stored in the password file. Systems that provide chfn as part of the shadow-utils package are not vulnerable to this attack.

Users should watch for an updated util-linux package and should consider removing the set user id bits from chfn and chsh until this is done.

GNU Mailman is reported to be vulnerable to several cross-site scripting attacks. These attacks can be used by an attacker, under some conditions, to execute arbitrary scripts in other users' browsers.

It is recommended that users upgrade to Mailman version 2.0.12 as soon as possible.

The Cisco IOS TFTP server is vulnerable to a buffer overflow that can be exploited as a denial-of-service attack and may, under some conditions, be exploitable to execute arbitrary code. The buffer
overflow is caused by requesting a file with a name that is seven hundred bytes or longer. The buffer overflow is reported to affect Cisco IOS versions earlier than 12.0.

It is reported that Cisco is not going to release a patch or fix for this buffer overflow. If the TFTP server is not required, it is recommended that it be turned off. If the server is required, users should contact Cisco for suggested workarounds or other solutions.

The DES-encrypted challenge-response system is used by VNC to provide a basic level of security and to prevent the password from being sent across the network in the clear. There is a flaw in the generation of the server challenge, in some implementations of VNC, that leaves the system vulnerable to a race condition that can be used by an attacker to log in to the VNC server without knowledge of a password. A script has been released that checks a systems for this vulnerability.

Affected users should watch their vendor for an update that repairs this flaw. All users of VNC software should consider adding an additional layer of protection using SSH or some other form of
cryptographic protection.

Fake Identd is a simple ident server that provides static replies. It is vulnerable to a buffer overflow that can be exploited by a remote attacker to execute arbitrary code on the server as root. Versions of Fake Identd before 1.5 are reported to be vulnerable. A script to automate the remote exploitation of this vulnerability has been released.

Users should upgrade to version 1.5 or newer of Fake Identd as soon as possible, and should disable it until the upgrade has occurred.

HylaFAX, a fax and pager gateway application, is vulnerable to several attacks that can be used in a denial-of-service attack and possibly be used to gain additional permissions. These attacks include a buffer overflow in the handling of the TSI string, a buffer overflow in handling image data, and a format-string vulnerability.

HylaFAX development recommends that users upgrade to version 4.1.3 or newer.

The BIND4 derived resolver libraries that are used by EnGarde Secure Linux are vulnerable to a buffer overflow that may be exploitable by an attacker who controls a DNS server that is queried, and can result in arbitrary code being executed. BIND is not reported to be vulnerable.

EnGarde Secure Linux recommends that users upgrade as soon as possible to a repaired library.